Snort 'n Dragon

This is the third in a series of excerpts from Chapter 7 of Incident Response, published in August 2001 by O'Reilly. This excerpt covers two tools used by sysadmins to detect when hackers are trying to access your network. You can use these tools to detect hackers before they do any damage.

Snort

Snort is neither just a protocol analyzer nor an intrusion detection system (IDS). It is a little of both, and can be very useful in incident response operations. Many of its features are similar to the TCPdump/Review combination mentioned above, but Snort has enough differences to discuss on its own. Like Ethereal, Snort is freely available in source code form under the GNU General Public License, for most Unix and Linux variants and distributions. However, unlike Ethereal, Snort is not a beta release. At the time of this writing, Snort is up to Version 1.7. What's more, Snort has an active community of users that freely exchange ideas and rulesets. For further information, see http://www.snort.org.

Where Snort's features really begin to come in handy (in addition to being able to do the basic network session capture and analysis functions) is in alerting the operator of certain events. For example, Snort can be configured to watch a network for a particular type of attack profile and then page the incident response team members when the attack takes place. Furthermore, you can define, at least to a degree, what events to look for and to alert on. These features are what makes Snort a decent lightweight network intrusion detection system, and useful to an incident response team. Figure 1 shows the end of a Snort network capturing session.

Figure 1. Example Snort output

Dragon

Dragon, from Network Security Wizards (now part of Cabletron Systems), is an industrial-strength distributed intrusion-detection system. Apart from being an excellent IDS, one of Dragon's biggest strengths as an incident response tool is that it has a very easy-to-use language for adding customized attack signature definitions. Combine that with its ability to monitor multiple Dragon sensors across an entire business enterprise on one browser-based security console, and you have an extremely powerful and flexible tool for assisting in incident response operations. Figure 2 shows example Dragon console reports.

Figure 2. Example Dragon console reports

Dragon does support pager alerting, as well as a relatively simple session playback mechanism. That's not to say that the playback mechanism is not useful, but it doesn't have the rich feature set of something like NetDetector. Figure 3 shows Dragon trigger output and Figure 4 is an example of its command-line interface. For further information on Dragon, see the vendor's Web page at http://www.securitywizards.com.

Tripwire -- When a hacker gets through your primary defences, its hard to tell what they may have done to your system. Tripwire can reliably detect changes to your system, including rootkits. This is the second in a series of excerpts from Chapter 7 of Incident Response.